Description

This article describes, with an example, how the 'route-map-out-preferable' functions in the BGP route-tag and is used concurrently with an SD-WAN rule.

Scope

FortiGate.

Solution

Prerequisites:

1. SD-WAN with 'SLA' and 'config neighbor'. See the documentation.
   
   
2. BGP with route-map. See the documentation.

The scenario below is the route-tag in HUB for the BGP route from Branch when SLA is met:

In this scenario, the SD-WAN rule in the HUB was configured to follow the route tagging.

Consider the SD-WAN rule for Dialup_1_1, which is meeting the SLA first.

In Branch, the route-map is configured to have route-map-out-preferable when SLA is met and route-map-out when SLA is not met.

Now, make the Dialup_1_1 fail the SLA from the branch.

Note the route-tag for the Dialup_1_1 is changed to 5.

Note that the SD-WAN rule will not be matched as the route-tag is not matching.

This will cause the traffic to use other SD-WAN rules which match the SLA.

When the SLA recovers, the SD-WAN rule will be used again.

In the example below, community is removed from the Spoke side and added every time the SLA fails and SLA is met, respectively:

FGT-SPOKE1 (SLA_LAN_HUB) # show
    config health-check
        edit "SLA_LAN_HUB"
            set server "10.254.0.99"
            set sla-id-redistribute 1
            set members 2 1
                config sla
                    edit 1
                        set link-cost-factor latency <-----
                        set latency-threshold 1 <-----
                    next
                end
            next
        end

This is done because 'route-map-out-preferable' is applied and community is set when SLA is met. On the other hand, if SLA fails, no route-map-out-preferable is applied and community is removed.

FGT-SPOKE1 (SLA_LAN_HUB) # show
    config router bgp
        config neighbor
            edit 172.16.30.1
                set route-map-out-preferable VPN1

            next

            edit 172.16.31.1
                set route-map-out-preferable VPN2

            next
        end
    end

SLA can be verified on the SD-WAN Health-Check status:

SLA fails:

FGT-SPOKE1 # diagnose sys sdwan health-check status
Health Check(SLA_LAN_HUB):
Seq(2 HUB-MPLS): state(alive), packet-loss(0.000%) latency(1.399), jitter(0.600), mos(4.403), bandwidth-up(9999999), bandwidth-dw(9999999), bandwidth-bi(19999998) sla_map=0x0 <-----
Seq(1 VPN_HUB1): state(alive), packet-loss(0.000%) latency(1.117), jitter(0.493), mos(4.403), bandwidth-up(9999999), bandwidth-dw(9999999), bandwidth-bi(19999998) sla_map=0x0 <-----

FGT-SPOKE1 # diagnose sys sdwan health-check status
Health Check(SLA_LAN_HUB):
Seq(2 HUB-MPLS): state(alive), packet-loss(0.000%) latency(1.376), jitter(0.640), mos(4.403), bandwidth-up(9999999), bandwidth-dw(9999999), bandwidth-bi(19999998) sla_map=0x0 <-----
Seq(1 VPN_HUB1): state(alive), packet-loss(0.000%) latency(1.124), jitter(0.552), mos(4.403), bandwidth-up(9999999), bandwidth-dw(9999999), bandwidth-bi(19999998) sla_map=0x0 <-----

HUB side:
No community is received on the prefix announced for Spoke.

FGT-HUBDC1 (root) # get router info bgp network 192.168.12.0
VRF 0 BGP routing table entry for 192.168.12.0/24
Paths: (2 available, best #2, table Default-IP-Routing-Table)
   Advertised to peer-groups:
   "VPN_HUB1" "VPN_MPLS"
     Original VRF 0
       Local, (Received from a RR-client)
        172.16.31.2 from 172.16.31.2 (192.168.13.99)
        Origin IGP distance 200 metric 0, localpref 100, valid, internal, best
        Receive Path ID: 1
        Advertised Path ID: 2
        Last update: Thu Oct 16 19:16:59 2025

        Original VRF 0

      Local, (Received from a RR-client)
        172.16.30.2 from 172.16.30.2 (192.168.13.99)
        Origin IGP distance 200 metric 0, localpref 100, valid, internal, best
        Receive Path ID: 1
        Advertised Path ID: 1
        Last update: Thu Oct 16 19:16:50 2025

When SLA is met again, BGP community is sent from the Spoke to the HUB:

FGT-SPOKE1 # fnsysctl date
Thu Oct 16 19:17:25 CST 2025

FGT-SPOKE1 # diagnose sys sdwan health-check status
Health Check(SLA_LAN_HUB):
Seq(2 HUB-MPLS): state(alive), packet-loss(0.000%) latency(0.896), jitter(0.541), mos(4.403), bandwidth-up(9999999), bandwidth-dw(9999999), bandwidth-bi(19999998) sla_map=0x1  <-----
Seq(1 VPN_HUB1): state(alive), packet-loss(0.000%) latency(0.766), jitter(0.511), mos(4.404), bandwidth-up(9999999), bandwidth-dw(9999999), bandwidth-bi(19999998) sla_map=0x1  <-----

FGT-HUBDC1 (root) # fnsysctl date
Thu Oct 16 19:17:20 CST 2025

FGT-HUBDC1 (root) # get router info bgp network 192.168.12.0
VRF 0 BGP routing table entry for 192.168.12.0/24
Paths: (2 available, best #2, table Default-IP-Routing-Table)
  Advertised to peer-groups:
   "VPN_HUB1" "VPN_MPLS"
   Original VRF 0
   Local, (Received from a RR-client)
     172.16.31.2 from 172.16.31.2 (192.168.13.99)
      Origin IGP distance 200 metric 0, route tag 2, localpref 100, valid, internal, best
      Community: 64561:2  <-----
      Receive Path ID: 1
      Advertised Path ID: 2
      Last update: Thu Oct 16 19:17:18 2025

   Original VRF 0
   Local, (Received from a RR-client)
     172.16.30.2 from 172.16.30.2 (192.168.13.99)
     Origin IGP distance 200 metric 0, route tag 1, localpref 100, valid, internal, best
     Community: 64561:1 < ---
     Receive Path ID: 1
     Advertised Path ID: 1
     Last update: Thu Oct 16 19:17:23 2025

Additional detailed testing scenario:

SD-WAN self-healing with BGP - FortiGate documentation.